[Snort-sigs] SSH brute force attack sig

Matt Jonkman matt at ...2436...
Thu Jul 7 08:55:31 EDT 2005

Nigel Houghton wrote:
>>True, but we're still not able to use those events to respond or block.
> You seem rather set on this course of action. I do not think that an
> automated response to portscans is a very wise idea at all. But that's
> just my $0.02.

I agree. That's why I use these specific sigs. I'd never really *want*
to block or respond based on sfportscan info, it's just too unreliable.
There are times where legit traffic trips it, and no tuning can fix that
without causing false negatives, as far as I've ever played with it at

Maybe the next iteration of portscan could incorporate the ability to
set different thresholds for ports or ranges? That would help, but the
output still needs to be more useful. We need to be able to specify a
response based on the ports hit, that really keeps us in the individual
sig solution.

How much of an impact does a sig like this have on performance Nigel? I
had always assumed it was pretty minimal. It's using flow and a
threshold, so never even has to go into the payload for a content match.
but it does have to keep state in the threshold.


Matthew Jonkman, CISSP
Senior Security Engineer
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC

NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.

More information about the Snort-sigs mailing list